from the fined dept

Insurance firm Wellpoint apparently left its medical records easily exposed on its servers from last October until March, exposing 470,000 users' medical records, credit card numbers and "other sensitive info." The company discovered the breach in February, but apparently waited until June to tell users. The company has now been fined $300,000 for not promptly notifying users, though that does seem like a rather low number considering how many records were apparently exposed...

from the hits-you-in-the-heartland dept

Remember Heartland Payment Systems? It's the giant credit card clearinghouse that was involved in the largest ever security breach in terms of the number of credit card numbers exposed. They were successfully targeted by the same guys who had also set the previous record for largest credit card data breach, so you could question whether the issue was just a sophisticated group of hackers or poor security at Heartland (or, possibly, a combination of both). Either way, it looks like Heartland may still have some issues. Carlo sends over the news that a new security breach has been discovered at a restaurant in Austin, Texas that appears to involve someone hacking into the network between the restaurant and Heartland. It's not yet clear if this goes beyond that one restaurant, but this can't look good for Heartland.

Update: Heartland got in touch to let us know that this appears to be an issue outside of Heartland's system, and that Heartland is not the target of the investigation into the breach. Heartland's press release is basically pointing out that the weakness was with the restaurant's credit card security, not its own.

from the doesn't-sound-good dept

Last week, we wrote about the security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:

So yeah, knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you're prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.

There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances.

from the didn't-work dept

The BBC has a story about how the operators of one of the larger botnets that was recently shut down showed up at the offices of a security researcher who helped bring them down... asking for a job. The article highlights how the researcher, Luis Corrons, basically had figured out who was running the botnet after one of the operators made a mistake and revealed his home computer... which actually was not far from where Corrons worked. It was shut down at the end of last year, but a few months later, Corrons had an interesting experience:

In late March Mr Corrons was preparing for a meeting at Panda's Bilbao lab with a journalist and took a moment to dodge downstairs to get a drink. On the way down he passed two young men coming up.

One asked if he was Luis Corrons. He said yes while wondering who they were.

They introduced themselves which left him no wiser. Then, one of them said; "I'm Ostiator and this is Netkairo."

"It was then I realised these guys were the ones that were arrested in the Mariposa case," he told the BBC. "I thought they wanted to teach me a lesson."

Instead, they asked him for a job, saying that the shutdown of the botnet had "robbed them of their livelihood." Apparently, the two guys started following Corrons on Twitter, sending messages his way and commenting on his blog, before asking for work again. They finally brought in one of the guys for an interview, noting that they wouldn't hire anyone involved in criminal activity. The guy responded that he hadn't been charged with anything. However, Corrons also quickly realized that the guy barely had any technical skills -- pointing out that he didn't write the bot, he just ran it:

"He got really annoyed at that moment, when we told him he was not good enough," said Mr Corrons. Subsequent discussion revealed just how poor their skills were.

"They were given the botnet with all the stuff they needed," said Mr Corrons. "Using it was like using any other program."

So, for the script kiddies out there, perhaps before asking for a job from the security researchers who bring your botnet down, you do a bit of work to make sure you have the actual skills.

from the why-doesn't-that-apply-elsewhere? dept

Way back in 2006, we noted a series of cases where people had brought lawsuits over claimed "privacy" breaches, involving lost or leaked data, where the courts repeatedly ruled that if there was no evidence that the leaked data was used for nefarious purposes, there was no case. Odd that this applies to things like privacy, but when you see a similar situation with copyright, no one ever has to show any actual harm. Either way, it looks like courts are continuing to follow this particular line of thought, as a lawsuit against Gap for losing private data has been rejected under the same line of thinking. This also almost certainly means that all those class action lawsuits against Google for possibly collecting some WiFi data, are completely dead in the water. In those cases, the plaintiffs don't even show any evidence that their data was collected, let alone give any proof of harm.

from the raising-the-bar dept

Back in January, we noted that it looked like there might be a new winner in the battle to see who was responsible for the largest ever credit card breach. Until that time, the honor had gone to a series of department stores owned by TJX (TJ Maxx, Marshalls, etc.). That involved info on 94 million credit card holders. Not bad. But the newer deal, involving Heartland Payment Systems appeared to effect well over 100 million. Now, you may have seen the news reports this week that have upped that total to 130 million, as part of the announcement of indictments against three individuals for illegally accessing the data. But, what's fascinating is that the one guy in custody, Albert Gonzalez, was already in custody for his role in the TJX hack (along with some other retailers). Oh, and there's also the tidbit about how he was a government informant, handing over info on (you guessed it) the underworld involved in stolen credit card numbers.

from the how-generous dept

Until earlier this week, TJX held the record for the biggest-ever data leak, for its effort to lose track of some 94 million people's credit card info to a group of hackers. Just to recap, the company lost all the data largely through sheer incompetence, by encrypting its stores' WiFi networks with the easily broken WEP standard, and not having enough security in place to keep the hackers out of its central database after they'd gotten on the network at a single store. Even more astounding was the fact that TJX transmitted credit-card info to banks without any encryption. It was the banks that were largely left holding the bag for all the fraudulent purchases made with the stolen credit-card numbers, while several of the criminals behind the breach were charged, too. What punitive action was taken against TJX? It had to pay a $41 million fine to Visa, but got off with no fine and a wrist slap from the Federal Trade Commission. But apparently the company really wanted to make things up to consumers, so it offered a one-day 15 percent off sale in its US and Canadian stores this week. Wow, so generous, especially to do it in the post-holiday, lets-clear-out-everything-we-didn't-sell-before-Christmas season. You could probably forgive TJX for thinking this would make up for everything, though, since data-leak settlements and punishments are generally toothless and do little to encourage companies to take serious steps to stop the leaks.

from the that-one-again? dept

Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.

from the stunning-incompetence dept

In the last few years, every time a massive data breach is reported, you can be assured of one thing: a few weeks after the initial report comes out, a second report will come out admitting that the breach was worse than previously expected. We saw it with Choicepoint. We saw it with the VA. It seems to always happen. In fact, with the now infamous TJX breach, we'd already mentioned that the problems were worse than originally announced -- making it the largest such breach ever reported. This wasn't surprising once you found out just how incompetent the company was -- failing to comply with nearly all of the credit card company's security guidelines and leaving their entire system wide open to anyone who could hack a simple insecure WEP WiFi system (something that's quite easily done). The data from the breach (unlike many other widely announced breaches) has already been used in numerous frauds, costing upwards of $60 million. With such astounding incompetence and a breach so large, should it come as any surprise that even the updated breach numbers weren't complete? That's right, thanks to documents being filed in the lawsuits against TJX, it's now coming out that the breach has impacted even more people than was earlier announced. Of course, the question still remains whether or not the punishment the company receives will matter. It doesn't seem like anything is really done to stop companies from being so careless, and there's no indication that's going to change in this case either.

from the cha-ching dept

The Secret Service has busted four people in Florida, and recovered 200,000 credit cards from the TJX breach that was disclosed earlier this year. Recovering the credit-card numbers at this point does little more than link the fraudsters to the breach, but they're said to have been used to rack up more than $75 million in fraudulent charges. The people busted here didn't apparently participate in the theft of the credit-card data, but bought them from "known cybercriminals in Eastern Europe" and then used the numbers to make counterfeit cards. In any case, they're way more productive than another group of Florida scammers busted back in March, who only managed to rack up $8 million worth of goods at Sam's and Wal-Mart. Since banks get left holding the bag for this type of fraud, expect more lawsuits as they look to recover their losses from TJX's astounding level of incompetence.